Upgrade

Over the past few weeks, I’ve been absolutely inundated with requests to clean up hacks that have exploited the much publicized Timthumb.php vulnerability. I have to assume that the reason most people aren’t plugging up this security hole on their sites is either

They don’t feel confident in their ability to find the problem

They feel like the process to fix it is too complicated

To combat this, I took a couple of hours this morning to write a plugin that will do the dirty work for you. The WordPress Timthumb Vulnerability Scanner will check your entire wp-content directory (including all themes, plugins, and uploads) for any vulnerable (pre-2.0) instances of the timthumb script, and give you a one-click upgrade to upgrade each script to the latest, secure version.

The process is simple:

Install and activate using either FTP, or the built in WordPress uploader

Go to the “Timthumb Scanner” page, under the “Tools” menu

Click the “Scan” button.

View your scan results
In this case, I’ve got one vulnerable (outdated) file, and 2 that have been updated, and are safe. I’m going to want to upgrade that one vulnerable file – to do that, I just need to hit the “Fix” button next to it.
You may not have any instances of timthumb on your site, or all of yours may be upgraded – if so, you’re all done!

Yesterday we talked about how to access your WordPress site via FTP – today, we’ll talk about something more important: Upgrading or reinstalling WordPress using FTP instead of the WordPress backend.

Why?

Again – this all comes down to saving your own butt. If an automatic upgrade fails in the middle, you’re in trouble – chances are that some, but not all of the files necessary have been reinstalled/updated. Because of this, the Dashboard is often left inaccessible, and you have to fall back on your old friend FTP.

Other reasons you might do this:

You got hacked, and you want to make sure your core WP files are clean.

You started tinkering with Core WordPress files, and now the site doesn’t work

You uploaded a shady plugin which modified core WordPress files, and now the site doesn’t work

Public Service Announcement

Back up your site before you do this. Please. If you mess it up, and lose all your uploads, you’re going to be really mad, maybe at me. Don’t have a backup service? Good news – I have one that I can shamelessly plug. Check it out at the front page.

Step 2: Unzip it

Next, you need to extract the zip you downloaded. Hopefully this isn’t too tricky – as long as you know where your downloads end up. In most cases, it’s as simple as finding the zip file and double clicking it. You should end up with a folder titled “WordPress”, which has the entirety of a WordPress install inside of it.

Step 3: Upload it

All that’s left is to upload. Now – you need to take some special consideration before you just go uploading all these files. Make sure you’re:

Uploading the right things

To the right place

Simple, right? Here’s what we need to do: We want to upload the contents of the WordPress folder (which we just extracted) to the directory on our web server where wordpress is installed, with one important caveat:

We don’t want to overwrite wp-content

That deserved to be bolded. The wp-content folder holds your themes, plugins, and uploads – and we don’t want to overwrite it with the default wordpress content. So, we’re going to upload everything except that.

Upload Everything BUT wp-content

Now that we’re ready to upload, we’ll just click and drag that mess into filezilla – making sure that in filezilla, we’re looking at the current wordpress install (you should be looking at the inside of a directory that has wp-load.php in it).
When it asks if you’d like to overwrite files, go ahead and check “Overwite”, as well as “Always use this action” and click “Ok”. Before clicking “Ok” would be a good time to double check that you’ve backed up, adn you’re not overwriting wp-content.

Now, this is going to take a while – WordPress has a lot of files. Go eat a sandwich, it will be done when you get back.

All done. Now what?

Now head back over to your site and get a feel for your handiwork. If you were just trying to fix a problem, ideally at this point your site is working again. If the upload went ok, and your site still isn’t working, the problem lies somewhere else – check your plugins and themes if you haven’t already.

If you were doing this to upgrade your WordPress install, you’ve got one more step. Head over to yoursite.com/wp-admin, and you should be presented with a screen saying you need to upgrade your database. Go ahead and approve that, give it a minute to think, and you should be redirected to the login page – and you’re done!